Amazon VPC, Networking, and Hybrid Flashcards
Amazon Virtual Private Cloud (VPC) nesting hierarchy:
Region
–>VPC (inside region - can have one or more VPCs in a single region BUT can NOT span across regions)
——>Availability Zone (inside VPC - can have one or more Availability Zone in a single VPC)
———->Public/Private Subnet (inside Availability zone)
A virtual network dedicated to your AWS account that is similar to having your own datacenter in AWS is called:
Amazon Beanstalk
Amazon Aurora
Amazon Trusted Advisor
Amazon Virtual Private Cloud (VPC)
A VPC is a virtual network dedicated to your AWS account
Similar to having your own datacenter in AWS
Is logically isolated portion of the AWS cloud
Each VPC has a different block of IP addresses (called a CIDR (Classless Interdomain Routing) block
- –Subnets within a VPC have an address range that stems from VPC IP address (CIDR block)
- —Those addresses can then be assigned to EC2 instances
Spans all the Availability Zones (AZ) in the region
- ——By default you can create up to 5 VPC’s per region
- ————–A default VPC is created in each region with a subnet in each AZ
You have full control over who has access to the AWS resources inside your VPC
Subnets
Subnets are created within an Availability Zone
Can NOT go ACROSS Availability Zones BUT can have multiple subnets w/in an Availability Zone
Subnets can be private OR public
ROUTER
- –Interconnects subnets and directs traffic between Internet Gateways, VPCs, NAT Gateways and Subnets
- –Reads IP addr of data and makes determination if data needs to stay IN the VPC (locally) or, if an internet addr, can be routed to Internet Gateway ID
- –Internet Gateway is attached to the VPC and connects to internet
Internet Gateway
—The Amazon VPC side of a connection to the public internet for IPv4 protocol
Egress-only Internet Gateway
—The Amazon VPC side of a connection to the public internet for IPv6 protocol
Internet Gateway
Internet Gateway
The Amazon VPC side of a connection to the public internet for IPv4 protocol
Egress-only Internet Gateway
Egress-only Internet Gateway
The Amazon VPC side of a connection to the public internet for IPv6 protocol
EC2 Instances can be launched in VPC subnets (along w/ other Amazon resources)
EC2 Instances Can communicate w/ each other
Host to Host
Via Router if you want to connect to a different subnet
—Main Route Table - ‘automatically’ associated w/ all of the subnets (public and private)
—Private Route Table - ‘explicitly’ associated w/ private subnets (optional)
Via Internet Gateway (Private Subnet must utilize a NAT Gateway via the Private Route Table to access internet)
Acts as virtual firewall for EC2 Instances and supports ALLOW rules only:
NAT Gateway
Internet Gateway
Security Groups
AMI
Security Groups
Acts as a virtual Firewall for EC2 instances
Operate at the instance level
Support ALLOW rules only (no concept of a deny rule - if it’s not ‘allowed’ it doesn’t get in)
Source can be an IP address OR a diff Security Group ID from a separate EC2 Instance
Stateful firewall
—Can put a security group on an EC2 instance
—If the Instance accepts the incoming traffic it will automatically allow the traffic to go back out without you specifically saying to let it out
—If the instance is INITIATING the connection it needs an outbound rule to make the connection
Acts as virtual firewall at the subnet level and supports ALLOW and DENY rules:
NAT Gateway
Internet Gateway
Security Groups
Network Access Control Lists (NACL)
Network Access Control Lists (NACL)
Firewall at the subnet level
Support ALLOW and DENY rules
NACLs apply only to traffic entering/exiting the subnet
Stateless firewall
—have to define rules for traffic going both directions
—If you put a NACL to allow on port 80 but no rule to go back out on a specific port, it will shut it down and not let it out
processes rules in order
IP Addresses:
-Public IP
VS
-Private IP
VS
-Elastic IP
Public IP
- -ONLY used in Public Subnet
- -Is dynamic and lost when an instance is stopped
- -Cannot be moved between instances
- -Associated with a Private IP address on the instance
Private IP
- -Are attached to all Ec2 instances (whether Public or Private Subnet)
- -Are retained when the instance is stopped
Elastic IP
- -Are static Public IP addresses
- -Are retained when the instance is stopped (as opposed to Public IP addr which is dynamic and lost when the instance is stopped)
- -Chargeable if not used
- -Associated w/ a Private IP address on the instance
- -Can be moved between instances and Elastic Network Adapters (ENA)
- —-ENA - virtual network card
Assists with accessing the internet from Private Subnets:
NAT Gateway
Internet Gateway
Security Groups
AMI
Network Address Translation (NAT) Gateways
Created in a Public Subnet
–Has a Public IP to talk to the internet AND a Private IP to talk to EC2 instances on a Private Subnet
Assists with accessing the internet from private subnets:
–Need to be sure the NAT Gateway ID is specified in the Private Route Table
When EC2 instance on Private Subnet wants to connect to the internet it makes a call to the Private Route Table—>Private Route Table recognizes that the address range that is being sent by the Instance is outside the internal address range and the traffic needs to go to the NAT Gateway—>The NAT Gateway uses its Public IP to connect to the Internet Gateway
NAT Gateways are managed by AWS
- -Elastically scalable
- -Automatic high availability
- -Can create multiple NAT Gateways across multiple Availability Zones
Network Address Translation (NAT) Instances
Network Address Translation (NAT) instances
Similar to Nat Gateway but it is the ‘old’ way of doing things
NAT instances are managed by ‘you’
Need to be manually scaled (scaled up and not out)
No high availability
Way to connect VPCs together so they can communicate w/ each other using Private IP addresses. Enables routing using private IPv4 or IPv6 addresses between 2 VPCs (not the internet):
NAT Gateway
Internet Gateway
Security Groups
VPC Peering Connection
VPC Peering Connection
Way to connect VPCs together so they can communicate w/ each other using PRIVATE IP addresses
Enables routing using private IPv4 or IPv6 addresses between 2 VPCs (not the internet)
Peering links are not transitive so if you have 3 VPCs (A, B, C) and you want to go from A to C you have to point directly to C, you can’t go ‘through’ point B
Virtual Private Network (VPN) connection between on-premises sites (datacenters) to AWS:
VPC Peering Connection
AWS Managed VPN
AWS VPN CloudHub
AWS Direct Connect
AWS Managed VPN
Virtual Private Network (VPN) connection between on-premises sites (datacenters) to AWS
Also known as AWS Site to Site VPN
Variable performance since data is moving over the internet
Uses encrypted connection over the public internet to connect Virtual Private Gateway (VGW) to Customer Gateway
VIRTUAL PRIVATE GATEWAY (VGW)
—The Amazon VPC side of a Virtual Private Network (VPN) connection
CUSTOMER GATEWAY
—Customer side of a VPN connection
Virtual Private Gateway deployed on AWS site and connects to multiple remote offices in a hub-and-spoke model:
VPC Peering Connection
AWS Managed VPN
AWS VPN CloudHub
AWS Direct Connect
AWS VPN CloudHub
Virtual Private Gateway is deployed on AWS site and connects to multiple remote offices in a hub-and-spoke model
Customer remote offices can also communicate w/ each other via AWS
Private connection from on-premises (customer) datacenter/office to AWS via a AWS Direct Connect location:
VPC Peering Connection
AWS Managed VPN
AWS VPN CloudHub
AWS Direct Connect
AWS Direct Connect
PRIVATE connection from on-premises (customer) datacenter/office to AWS via a AWS Direct Connect location
AWS Direct Connect location is geographically located close to the customer
- -Private connection between customer datacenter and the AWS Direct Connect location
- —From there a private connection moves it to AWS
Consistent network performance/experience b/c not internet connection
Increased speed/decreased latency
Increased bandwidth/throughput
Typically more expensive than VPN UNLESS you are transferring large volumes of data
